Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

McDonalds India’s App Was a Golden Honeypot (March 19, 2017)
McDonalds India has released that approximately 2.2 million users of its mobile application have had their Personally Identifiable Information (PII) leaked through a misconfigured server, according to researchers. The PII consists of email address, full name, home address and coordinates, phone number, and social profile links.Recommendation: Identity theft is always a risk when user information is entered into any kind of account. Therefore, information should only be entered into services provided by trusted vendors, and careful monitoring of financial statements should always be practiced.Tags: Data leak, PII

Google Points to Another POS Vendor Breach (March 17, 2017)
Security researcher Brian Krebs discovered that the organization Select Restaurants Inc., which owns multiple restaurants around the continental U.S., appears to have been compromised with Point of Sale (POS) malware. KrebsOnSecurity was contacted by financial institutions’ anti-fraud teams who were attempting to identify the source of numerous instances of fraudulent transactions. This prompted a quick Google search by Krebs which revealed that Select Restaurants’ website “may be hacked.” As of this writing, the company has not commented on the purported breach.Recommendation: POS systems need to be carefully maintained, and kept up-to-date with the newest software patches because they are frequent target of threat actors. Especially in the U.S. where chip and pin technology has taken longer to become commonplace in comparison to other countries and regions around the world. In the case of POS infection, all systems that process financial data should be taken offline and reformatted to ensure the malware has been properly removed before reconnecting to the network.Tags: POS malware, Credit card theft

Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor! (March 16, 2017)
An Avast malware researcher has discovered a new Star Trek themed malware dubbed “Kirk Ransomware.” The Kirk Ransomware is written in Python and uses Monero, which is similar to the Bitcoin system, for its victims to submit payments for decryption. Researchers note that this malware may be the first of its kind to use Monero currency for payment. Kirk Ransomware increases the ransom payment the longer a victim waits. At the time of this writing, one Monero (XMR) is equivalent to $23.27; the first ransom demand is 50 XMR ($1,163.84).Recommendation: Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors, and prevent ransom from being a profitable business for cyber criminals.Tags: Ransomware

Trend: Ransomware Hidden in NSIS Installers Harder to Detect (March 16, 2017)
Researchers have discovered a trend among ransomware threat actors in that they are beginning to pack their malware inside a Nullsoft Scriptable Install System (NSIS). Actors are using the legitimate service, combined with encryption, to hide their malicious code. The malware will load into a Windows computer’s memory, decrypt, and then execute. NSIS ransomware is primarily being distributed through spam campaigns that contain JavaScript downloaders (some are also contained inside ZIP files), malicious Office documents, and .LNK files that contain PowerShell scripts which all lead to downloads of malicious NSIS installers.Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the official website of the provider/developer.Tags: Ransomware, NSIS Installers

MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks (March 15, 2017)
A new Point of Sale (POS) malware dubbed “MajikPOS” has been observed attacking targets in the wild with unique features, according to Trend Micro researchers. MajikPOS is capable of using Remote Access Trojans (RATs) to attack its target endpoints. The malware has been identified attacking Remote Desktop Protocols (RDPs) and Virtual Network Computing (VNC) by testing generic credentials, and brute force attacking accounts. MajickPOS scrapes Random Access memory for the presence of credit card data by multiple vendors, which is then sent to a C2 and posted for sale on underground markets.Recommendation: POS security relies on the same type of preventative measures as all others, as they are a specific type of computer. In the case of a confirmed MajickPOS infection, the POS system should be taken offline until it can be completely wiped and restored to its original factory settings.Tags: MajickPOS, Malware, Credit card theft, RATs

Blank Slate Malspam Campaign Spreading Cerber Ransomware (March 15, 2017)
A spam campaign dubbed “Blank Slate” because of the lack email subject lines, has increased its botnet activity to primarily deliver Cerber ransomware; Sage 2.0 and Locky ransomware were also observed. The emails contain malicious Word documents that warns the recipient to enables macros to properly view the document. If a user enable macros, or opens a .js file, the Word macro or .js file will reach out to web server to receive the malware and begin the infection process.Recommendation: Your company should have policies in place that remind your employees to be meticulous and skeptical while reading emails. Anti-spam and antivirus protection should always be employed, and employees should always observe failed financial transactions, poor grammar, and urgent label subject lines with the utmost caution.Tags: Malspam, Cerber, Ransomware, Phishing

NexusLogger: A New Cloud-based Keylogger Enters the Market (March 15, 2017)
A new keylogger malware dubbed “NexusLogger,” that was first discovered in late 2016, has been identified to be currently targeting individuals via phishing attacks, according to Unit 42 researchers. NexusLogger masquerades as a “Parental Monitoring Software Solution,” and is offered for purchase on underground markets for prices ranging from $7 to $199 depending on the length of subscription. Interestingly, the ransomware also specifically targets online game credentials for Minecraft, Origin, Steam, and UPlay.Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, how to identify such attempts, and inform the appropriate personnel when they are identified. In the case of NexusLogger infection, the affected systems should be wiped and reformatted.Tags: Keylogger, Malware, Phishing

U.S. Charges Two Russian Spies and Two Hackers for Hacking 500 million Yahoo Accounts (March 15, 2017)
U.S. prosecutors claim that approximately 30 million yahoo email accounts were targeted in a massive spam campaign in order to gather information on their owners. The targeted individuals consist of journalists, government officials, and technology company employees. Yahoo had previously reported in 2016 that they believed that the 2014 incident that compromised over 500 million Yahoo accounts was conducted by a state-sponsored group. The four defendants include two officers from the Russian Security Service (FSB), and two threat actors identified as Alexesey Alexseyvich Belan and Karim Baratov.Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts.Tags: Malspam, Yahoo, APT

Massive Data Leak in the U.S. Air Force Exposes Details of Over 4,000 Officers (March 15, 2017)
Researchers have discovered than an unnamed U.S. Air Force (USAF) Lieutenant Colonel’s backup drive was misconfigured in a way that could allow anyone to access sensitive information it contained. An unspecified amount of gigabytes was found to be accessible that included Personally Identifiable Information (PII) of over 4,000 USAF officers consisting of full names, home addresses, list of security clearances, phone numbers and contact information of staff and their spouses, and social security numbers.Recommendation: Identity theft and fraud risks are always present for individuals who do not carefully monitor their credit card statements and online banking activity. Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Always monitor your accounts and use identity prevention / fraud prevention services to add an additional layer of security to your accounts.Tags: Compromise, PII, Identity theft

PetrWrap: The New Petya-Based Ransomware Used in Targeted Attacks (March 14, 2017)
A new campaign has been discovered to be targeting organizations networks in order to download ransomware, according to Kaspersky researchers. The threat actors are targeting servers with unprotected Remote Desktop Protocol (RDP) access. The actors have created a trojan dubbed Petrwrap that is written in C and compiled in MS Visual Studio and carries version three of Petya ransomware inside. The PetrWap trojan waits approximately 90 minutes before decrypting the Dynamic Link Library (DLL) of Petya calling the function that prepares the ransomware for further instructions.Recommendation: Ensuring that your server is always running the most current software version is vitally important. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount, and passwords should be changed on a frequent basis. Furthermore, always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, and other machines on the same network should be scanned for other potential infections.Tags: PetrWrap, Ransomware, Trojan

Adobe Fixes Six Code Execution Bugs in Flash (March 14, 2017)
Adobe has once again released patches for vulnerabilities found in their Flash Player on “Patch Tuesday.” Seven vulnerabilities were patched, six of which could be exploited by threat actors to execute malicious code. The patch covered the following vulnerabilities: one regarding buffer overflow, two concerning memory corruption, and three that could be used after initial exploitation that can trigger code execution.Recommendation: Patch Tuesday should be observed every week in order to apply the latest security updates to software used by your company. In Adobe’s case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version.Tags: Adobe, Vulnerabilities

Actively Exploited Struts Flaw Affects Cisco Products (March 13, 2017)
Cisco products have been identified to affected by a newly discovered vulnerability dubbed “CVE-2017-5638.” The vulnerability affects Cisco Identity Services Engine (ISE), specifically Apache Struts versions 2.3.5 through 2.3.31, 2.5 through 2.5.10, as well as 2.3.32 and 2.5.10. CVE-2017-5638 is a remote code execution vulnerability that has been actively exploited by threat actors in the wild, however Cisco researchers report that they have not seen attackers specifically target their products.Recommendation: Zero day based attacked can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to attack with vulnerabilities even after they have been patched by the affected company. Therefore it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.Tags: Vulnerabilities

Cyberattacks Hits The Dutch After Erdogan Speech (March 13, 2017)
Websites based in the Netherlands have been defaced by a team of threat actors identifying themselves as “PrivateHackers.” These defacements appear to have occurred because of tensions between the Dutch and Turkish governments. The tension has arisen because of the Dutch government barring Turkish officials from holding rallies in Rotterdam. Turkish President Recep Tayyip Erdoğan then accused the Dutch of contributing to the Srebrenica massacre in Bosnia, 1995, in regards to Dutch United Nations’ peacekeepers failure to protect Muslim men who were killed.Recommendation: This story represents potential threats and attacks that can arise based on current political developments. Therefore, awareness of tension between countries and governments can potentially grant some insight as to where attacks may originate. It is crucial that server software be kept up-to-date with the most current versions, and that all external facing assets are carefully monitored and scanned for unusual activity and vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.Tags: Defacements

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Cerber Ransomware Tool Tip
Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement.Tags: cerber, ransomware

With Zelda: Breath of the Wild out on the Nintendo Switch, I made a home automation system based off the Zelda series using the ocarina from The Legend of Zelda: Ocarina of Time. Help Me Make More Awesome Stuff! https://www.patreon.com/sufficientlyadvanced Subscribe! http://goo.gl/xZvS5s Follow Sufficiently Advanced!

Listen!

Released in 1998, The Legend of Zelda: Ocarina of Timeis the best game ever is still an iconic entry in the retro gaming history books.

Very few games have stuck with me in the same way Ocarina has, and I think it’s fair to say that, with the continued success of the Zelda franchise, I’m not the only one who has a special place in their heart for Link, particularly in this musical outing.

Allen, or Sufficiently Advanced, as his YouTube subscribers know him, has used a Raspberry Pi to detect and recognise key tunes from the game, with each tune being linked (geddit?) to a specific task. By playing Zelda’s Lullaby (E, G, D, E, G, D), for instance, Allen can lock or unlock the door to his house. Other tunes have different functions: Epona’s Song unlocks the car (for Ocarina noobs, Epona is Link’s horse sidekick throughout most of the game), and Minuet of Forest waters the plants.

So how does it work?

It’s a fairly simple setup based around note recognition. When certain notes are played in a specific sequence, the Raspberry Pi detects the tune via a microphone within the Amazon Echo-inspired body of the build, and triggers the action related to the specific task. The small speaker you can see in the video plays a confirmation tune, again taken from the video game, to show that the task has been completed.

As for the tasks themselves, Allen has built a small controller for each action, whether it be a piece of wood that presses down on his car key, a servomotor that adjusts the ambient temperature, or a water pump to hydrate his plants. Each controller has its own small ESP8266 wireless connectivity module that links back to the wireless-enabled Raspberry Pi, cutting down on the need for a ton of wires about the home.

And yes, before anybody says it, we’re sure that Allen is aware that using tone recognition is not the safest means of locking and unlocking your home. This is just for fun.

Do-it-yourself home automation

While we don’t necessarily expect everyone to brush up on their ocarina skills and build their own Zelda-inspired home automation system, the idea of using something other than voice or text commands to control home appliances is a fun one.

You could use facial recognition at the door to start the kettle boiling, or the detection of certain gasses to – ahem!– spray an air freshener.

We love to see what you all get up to with the Raspberry Pi. Have you built your own home automation system controlled by something other than your voice? Share it in the comments below.

Automated vehicles have the potential to revolutionise our day-to-day lives, but these kind of cyber-physical systems are vulnerable to attack by criminals. “Hackers could blackmail owners of self-driving cars” says Dr Alexander Kröller of TomTom and of the EU-funded SAFERtec project.
Source: Cybersecurity and digital privacy newsletter

Critical infrastructures such as railway networks, power stations and telephone grids are under daily attack by cyber criminals, according to Georg Peter, who is responsible for the European Reference Network for Critical Infrastructure Protection (ERNCIP).
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.png00Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-03-21 08:49:092017-03-21 08:49:09The European Reference Network for Critical Infrastructure Protection: an important part of the EU response to cyber threats

With the JavaWatch system from Terren Peterson, there’s (Raspberry Pi) ZERO reason for you ever to run out of coffee beans again!

By utilising many of the Amazon Web Services (AWS) available to budding developers, Terren was able to create a Pi Zero-powered image detection unit. Using the Raspberry Pi Camera Module to keep tabs on your coffee bean storage, it automatically orders a fresh batch of java when supplies are running low.

Coffee: quite possibly powering Pi Towers’ success

Here at Pi Towers, it’s safe to say that the vast majority of staff members run on high levels of caffeine. In fact, despite hitting ten million Pi boards sold last October, sending two Astro Pi units to space, documenting over 5,000 Code Clubs in the UK, and multiple other impressive achievements, the greatest accomplishment of the Pi Towers team is probably the acquisition of a new all-singing, all-dancing coffee machine for the kitchen. For, if nothing else, it has increased the constant flow of caffeine into the engineers…and that’s always a positive thing, right?

Here are some glamour shots of the beautiful beast:

Anyway, back to JavaWatch

Terren uses the same technology that can be found in an Amazon Dash button, replacing the ‘button-press’ stimulus with image recognition to trigger a purchase request.

“The service was straightforward to get working,” Terren explains on his freeCodeCamp blog post. “The Raspberry Pi Camera Module captures and uploads photos at preset intervals to S3, the object-based storage service by AWS.”

The data is used to calculate the amount of coffee beans in stock. For example, the jar in the following image is registered at 73% full:

It could also be 27% empty, depending on your general outlook on life.

Demonstration of DRS Capabilities with a project called JavaWatch. This orders coffee beans when the container runs empty.

Terren won second place in hackster.io’s Amazon DRS Developer Challenge for JavaWatch. If you are in need of regular and reliable caffeine infusions, you can find more information on the build, including Terren’s code, on his project page.

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]